Hi,

We need to pass some argument to the script. Is it some specific argument name which I need to pass to stdin?

I tried passing "alert" as the argument with my script in following way but didn't work:

path_to_script/myscript.sh "alert"

I assume you should be able to read the arguments passed via the CLI command that calls your script in the standard way.

Unless we're not passing the arguments when the script is called (which is possible).

The data that is provided as part of the log that triggers the script would be passed through stdin (I believe). 

Dameon Welch Abernathy  How can we get the list of arguments / parameters so i can use the same in my external script.

Thanks

We are not passing specific arguments. 

We are passing the relevant log entry thru stdin to the script.

What is passed will depend on the log entry.

Viewing logs using the CLI command "fw log" will give you a rough idea of what is sent (and it will vary depending on the log entry).

Dameon Welch Abernathy Thanks for replying. How can I call that specific log from the script?

Dameon Welch AbernathyThank you for the reply.

As you can see I have defined my external script here so once a matching rule is met the script is executing successfully.

In the script (UD_SCRIPT) I have a simple code which will print lines and a text into a text file .Below is my script content.

If the policy is met the following script will execute.

so when i view the text file that was created by the script I can see that the script executed successfully.

What I want is to get the following values through my external script

HeaderDateHour: 24May2018 17:36:51; ContentVersion: x; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: ctl; Origin: xxxxx; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=xxxxxxxxx,O=cpm.xxxx; OriginSicName: CN=xxxxxxxxxxx,O=cxxxxxxxx..xxxx; HighLevelLogKey: xxxxxxxxxxx; cluster_info: (ClusterXL) member 1 (xx.xx.xx.xx) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

How can I do this? Thanks for your time and for replying

$1 is the first argument passed to the script, which is not the same thing as standard input.

You want to use the "read" command.

Using your sample, it'd be something like:

#!/bin/bash

echo "-----------" >> /tmp/kbs1.txt

read input

echo $input >> /tmp/kbs1.txt

Dameon Welch Abernathy‌ Thank you very much this worked!

Am I to understand there is NO facility to format the email that gets sent via sendmail form the SMS when enabling alerts? No XML, no text file? Really? This is just gibberish for a customer. What was the purpose for the alerts? Is there any COMPLETE documentation on the abilities or the lack thereof?

Hello, Is there any way to format these emails? This is all gibberish to the customer. No xml? no text files? to adjust only the fields we want to see? Any documentation on what all these fields are?

HeaderDateHour: 20Mar2019 0:22:33; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x5c91c009,0x0,0x17000b0a,0xc0000002}; SequenceNum: 1; Action: accept; Origin: GCBFW2; IfDir: >; InterfaceName: eth2; Alert: mail; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; HighLevelLogKey: 18446744073709551615; inzone: Internal; outzone: Local; service_id: ssh; src: V84af7e3e-e52f-4e45-8b5e-ce3a21a5d21e; dst: GCBFW2; proto: tcp; xlatesrc: ; xlatedst: ; NAT_rulenum: 107; NAT_addtnl_rulenum: 1; security_inzone: Interface_inside; security_outzone: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 272f1cae-8179-4bb4-b5e6-e46943b12057; layer_name: Hbg_5600_Cluster Network; rule_uid: 379515d1-7b4f-42f9-99f3-3ec0fba782d1; rule_name: SSH Access to GW's or SMS will generate an email.; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ssh; sport_svc: 57388; xlatedport_svc: ; xlatesport_svc: ; ProductFamily: Network;

After reading the questions and answers, I found myself with the same problem of trying to get the information in a readable-ish format, and going through an Office 365 cloud server. The internal_sendmail command wasn't working for me because the Mgmt server's hostname was only FW-MGT (didn't have an FQDN), so Office365 always rejected it. So I'm using the regular sendmail in Gaia. 

Note: In the Office365 Exchange Admin, I went to the spam whitelist and added the NAT address of the Mgmt server so that Office365 accepts the emails. It doesn't allow relays because the connection is not authenticated, and getting Auth to work was more trouble than I wanted.

The script reads the standard input and puts it into an $input variable. Then I use sed to replace the semi-colon with newlines, and write it to a file. Then I read the file again with sed, to output only the line that has either 'System Alert' or 'cluster_info' (the two most common events I found, but you can add more if you want), and put it into a $subject variable.

I then erase the file by writing the 'To:  ' line, i.e 'To: SOC team'.

Then I append the 'Subject: Check Point: $subject' line to the file, so that it's apparent what's going on from the subject of the email.

Then I append a blank line, and then append the $input processed as before with sed, changing semi-colons to newlines.

Finally I use sendmail with the --domain parameter so that Office365 accepts the EHLO command, -f as the email sender, -v as the email destination address, host as the mail server, and the input is the file we create above. As you can see I use Office365 with the yourdomain-com.mail.protection.outlook.com host.

The entire script looks like this:

#!/bin/bash
read input
echo $input | sed 's/;/\n/g' >mail.txt
subject="$(sed -n -e '/cluster_info/p' -e '/System Alert/p' mail.txt)"
echo "TO: SOC Team" > mail.txt
echo "Subject: Check Point: $subject" >> mail.txt
echo "" >>mail.txt
echo $input | sed 's/;/\n/g' >>mail.txt
sendmail --domain=checkpoint.com -f cpalerts@checkpoint.com -v alerts@yourdomain.com --host=yourdomain-com.mail.protection.outlook.com 

Remember to chmod 555 the script so that it can run, and then use it in the User defined alerts of Global Properties.

The email you receive will look something like:

Subject: Check Point:  System Alert message: CLUSTER-CP is disconnected

 HeaderDateHour: 5Aug2019 21:34:21
 ContentVersion: 5
 HighLevelLogKey: N/A
 Uuid: {0x0,0x0,0x0,0x0}
 SequenceNum: 1
 Action:
 Origin: FW-MGT
 IfDir: <
 IfName: N/A
 Alert: useralert
 OriginSicName: N/A
 System Alert message: GW1 is disconnected
 Object: GW1
 Event: Exception
 Parameter: status_connection
 Condition: is
 Current value: 8
 ProductName: System Monitor
 ProductFamily: Network

Hi

I also would like to use this feature but so far no luck 😕

For this moment I use simple script just to confirm that I can capture the log data as below:

[Expert@sms01:0]# ll $FWDIR/bin/ud_script.sh
-rwxrwxrwx 1 admin bin 92 Jul 1 14:06 /opt/CPsuite-R81/fw1/bin/ud_script.sh

[Expert@sms:0]# cat $FWDIR/bin/ud_script.sh
#!/bin/bash
echo "-----------" >> /tmp/kbs1.txt
read input
echo $input >> /tmp/kbs1.txt

In Global Properties I checked "Run UserDefined Script" and set path:
$FWDIR/bin/ud_script.sh

I set track method on access rule to "Log - User Alert 1"

kbs1.txt file is not being created in /tmp. 

Can someone give me a clue why this feature is not working ?

you need to put the script inside the management machine, NOT the FW machine.